Google Patches Buzz Security Vulnerability

Google fixes a bug affecting the mobile version of Google Buzz that left users open to having their accounts hijacked. The search engine giant has been trying to soothe privacy and security concerns about its new social networking service.

Google has fixed a cross-site scripting bug that allowed
attackers to take control of Google Buzz accounts.
The bug affects
the mobile version of Buzz and was reported Feb. 16 by SecTheory CEO
Robert Hansen. Google patched the vulnerability the same day.

According to Hansen, news of the flaw was passed along to
him by a hacker with the moniker of TrainReq.

"There [are] four things of note here," Hansen
blogged. "Firstly, it's on Google's domain, not some other domain like
Google Gadgets or something. So, yes, it's bad for phishing and for cookies.
Secondly, it's over SSL/TLS
[Secure Sockets Layer/Transport Layer Security] (so no one should be able to
see what's going on, right?). Third, it could be used to hijack Google Buzz-as
if anyone is using that product (or at least you shouldn't be). And lastly, isn't
it ironic that Google is asking to know where I am on the very same page that's
being compromised?"
Hansen was referring to the location feature in Buzz that
shows where Buzz users are when they post. This feature can be turned off by
the user.
"We have no indication that the vulnerability was
actively abused," a Google spokesperson said. "We understand the
importance of our users' security, and we are committed to further improving
the security
of Google Buzz."

In the week since Buzz was launched Feb. 9, Google has faced
criticism over privacy issues associated with the service. On Feb. 16, the Electronic
Privacy Information
Center filed a complaint with the
Federal Trade Commission that charged
Google with failing to protect users' privacy. In an interview with eWEEK,
Google Vice President of Product Management Bradley Horowitz said the company did
not expect the negative
response that Google Buzz received on the privacy issue.
"While the outcome was not something I would have
wished for or predicted, the remedies and response of the team [have] really
indicated to me that we have a great core competency at Google in terms of
being able to develop social software, to be in dialogue with our users and to
rapidly iterate and improve the product," Horowitz told eWEEK.